Ok, I’ve pushed a few changes onto the release/1.0.0-incubating.M1 branch:
1) KEYS file is present (GEODE-776)
2) md5 / sha256 hashes are generated for distributions (GEODE-775)
3) artifacts and distributions for release builds are signed (GEODE-775)
4) generate sources / javadoc jars for maven publishing (GEODE-777)
5) fix for building source from non-git directory (GEODE-778)
To build on a release branch (where the version does not end with -SNAPSHOT)
you will need to set these properties in ~/.gradle/gradle.properties:
signing.keyId=
signing.password=
signing.secretKeyRingFile=
One thing I noticed is that the publish target (`gradle publish`) only uploads
jars/poms for these projects:
- gemfire-common
- gemfire-core
- gemfire-json
- gemfire-joptsimple
- gemfire-lucene
and does not consider signature files, sources, or javadoc jars. GEODE-27
discusses a related issue of fixing the dependencies / repositories listed in
the pom files.
Anthony
> On Jan 11, 2016, at 8:52 PM, Nitin Lamba <[email protected]> wrote:
>
> Thanks Anthony
>
> Roman, thanks for your offer to help with PGP, I'm sure we'll need it soon :)
>
> As a follow-up, I've created the JIRA (GEODE-776) to add the KEYS file. Will
> create mine shortly and comment.
>
> Best,
> Nitin
>
> ________________________________________
> From: [email protected] <[email protected]> on behalf of Roman
> Shaposhnik <[email protected]>
> Sent: Monday, January 11, 2016 8:09 PM
> To: [email protected]
> Subject: Re: releaseType?
>
> Seems like our emails have crossed. At this point you need to
> assemble a few trusted keys (yours, Nitin's, Mark's and perhaps
> a few other folks' as the minimum set) into a single key file and
> make it available in SVN tree that manages ASF releases.
>
> I suggest opening a GEODE jira asking folks to share their keys
> specially designed to sign release as comments in that JIRA.
> Note that it is best to have an identity bound to our kye clearly
> designated as a release management key. E.g.:
> https://dist.apache.org/repos/dist/release/bigtop/KEYS
>
> pub 1024D/9475BD5D 2010-10-08
> uid Roman V Shaposhnik (CODE SIGNING KEY) <[email protected]>
> sig 3 9475BD5D 2011-11-01 Roman V Shaposhnik (CODE SIGNING
> KEY) <[email protected]>
>
> Thanks,
> Roman.
>
> P.S. I'm kind of a crypto geek in my prior life so please let me know
> if more background on how to manange release signing keys would
> be useful to you
>
> On Mon, Jan 11, 2016 at 7:44 PM, Anthony Baker <[email protected]> wrote:
>> Here’s my key but I’m not sure if it is sufficiently trusted yet:
>>
>> http://pgp.surfnet.nl/pks/lookup?op=vindex&search=abaker%40apache.org&fingerprint=on
>>
>> Anthony
>>
>>
>> On Jan 11, 2016, at 6:54 PM, Nitin Lamba <[email protected]> wrote:
>>
>> Great!
>>
>> If we're good with the latest versions of NOTICE and LICENSE files, we're
>> about done with the src artifacts ready for review by ASF elders.
>>
>> The next step is code-signing and needs a few committers to have their PGP
>> signatures uploaded on a public key server [1]. More details on release
>> signing here [2], [3]. Is anyone from Geode PMC already in the 'web of
>> trust'? I do see Roman on the list.
>>
>> - Nitin
>>
>> [1] https://people.apache.org/committers.html
>> [2] http://www.apache.org/dev/release-signing.html#link-into-wot
>> [3] http://www.apache.org/dev/openpgp.html#wot
>>
signature.asc
Description: Message signed with OpenPGP using GPGMail
